ASA access control list with cross-user authentication _03

Access Control List

ACLs can be used for interfaces, as well as global

Interface access control lists can only control traversal traffic (except session connections)

All traffic terminated to the ASA, controlled by different administrative access lists (e.g. SSH 0 0 DMZ)

All the ASA initiated is allowed

The ASA configures the same priority ACL is to squeeze the original and the router is directly replaced

Interface rules and security

Default: Outbound (High-low) allow, inbound (low-to-high) rejection

Interface rules: input (Main) control change interface entry, output control out

enable password cisco                         //telnet requires the Enable password same-security-traffic  permit inter-interfacesame-security-traffic permit intra-interfaceaccess-list out  extended permit tcp any host 192.168.117.100 eq telnet // Two aclaccess-list out extended permit tcp any host 192.168.112.100 named out  eq www access-list out extended deny ip any any log          //log deny Packet access-group out in  interface outside                 //applies out acl-list to the outside interface router ospf 1                                          //the following routes  network 192.168.12.0 255.255.255.0  area 0 network 192.168.17.0 255.255.255.0 area 0 log-adj-changes  default-information originate always   time-range onwork                          //set a time range      periodic weekdays 9:00 to 19:15  access-list out line 1 extended permit tcp host 192.168.116.100  host 192.168.117.100 eq telnet time-range onwork                           //acl takes effect within the time frame

Objet-group

A network segment protocol port can be made into a collection for invocation, and can be nested to call

.....................................

This article is from the "Try" blog, so be sure to keep this source http://beening.blog.51cto.com/9079117/1788164

ASA access control list with cross-user authentication _03